Resubmissions

27-07-2024 05:11

240727-fvc5kaygpl 10

25-07-2024 01:26

240725-btj49szbrl 10

General

  • Target

    6d991f93327f70488011bf06ba799930_JaffaCakes118

  • Size

    730KB

  • Sample

    240725-btj49szbrl

  • MD5

    6d991f93327f70488011bf06ba799930

  • SHA1

    1b630a8c337cc48f9ec41cccc4352f51e7d51e71

  • SHA256

    abfc5a0bbf24e3dbc1c76c0734ea0b1ed6a0d5ff6f44f2a5a3e4e2f9317118c3

  • SHA512

    181be4ad5a549d51461fd8c9a470abac2895f51b5ec1cdba6927644ca0e8fb91663d8635ed5c98f4a90ae2752eb98b3235f106ee2d009cc885bdf6d0faadfe70

  • SSDEEP

    12288:tFda+FdahcQS8zfwkD/j1UGmy7eaqwVlXN8eR5dKFLtnoAf:8cn8zfwa1Dmyxrd8eqLt

Malware Config

Extracted

Family

matiex

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.privateemail.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    MARYolanmauluogwo@ever

Targets

    • Target

      6d991f93327f70488011bf06ba799930_JaffaCakes118

    • Size

      730KB

    • MD5

      6d991f93327f70488011bf06ba799930

    • SHA1

      1b630a8c337cc48f9ec41cccc4352f51e7d51e71

    • SHA256

      abfc5a0bbf24e3dbc1c76c0734ea0b1ed6a0d5ff6f44f2a5a3e4e2f9317118c3

    • SHA512

      181be4ad5a549d51461fd8c9a470abac2895f51b5ec1cdba6927644ca0e8fb91663d8635ed5c98f4a90ae2752eb98b3235f106ee2d009cc885bdf6d0faadfe70

    • SSDEEP

      12288:tFda+FdahcQS8zfwkD/j1UGmy7eaqwVlXN8eR5dKFLtnoAf:8cn8zfwa1Dmyxrd8eqLt

    • Matiex

      Matiex is a keylogger and infostealer first seen in July 2020.

    • Matiex Main payload

    • Beds Protector Packer

      Detects Beds Protector packer used to load .NET malware.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Drops startup file

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks